From a3707a10529c3d90a06149cf0e4bcd28b7b1ab5b Mon Sep 17 00:00:00 2001 From: Michael Yakubovich Date: Mon, 16 May 2011 16:09:35 -0400 Subject: [PATCH 1/6] Fix bug2752 : 48-char HTTPProxyAuthenticator limitation Bumped the char maximum to 512 for HTTPProxyAuthenticator & HTTPSProxyAuthenticator. Now stripping all '\n' after base64 encoding in alloc_http_authenticator. --- changes/bug2752 | 5 +++++ src/or/config.c | 8 ++++---- src/or/connection.c | 13 +++++++++++-- 3 files changed, 20 insertions(+), 6 deletions(-) create mode 100644 changes/bug2752 diff --git a/changes/bug2752 b/changes/bug2752 new file mode 100644 index 000000000..328f11e81 --- /dev/null +++ b/changes/bug2752 @@ -0,0 +1,5 @@ + o Minor bugfixes + - Tor used to limit HttpProxyAuthenticator values to 48 characters. + Changed the limit to 512 characters by removing base64 newlines. + Fixes bug 2917. + diff --git a/src/or/config.c b/src/or/config.c index 614fc48c3..36a8940ca 100644 --- a/src/or/config.c +++ b/src/or/config.c @@ -3398,8 +3398,8 @@ options_validate(or_options_t *old_options, or_options_t *options, } if (options->HTTPProxyAuthenticator) { - if (strlen(options->HTTPProxyAuthenticator) >= 48) - REJECT("HTTPProxyAuthenticator is too long (>= 48 chars)."); + if (strlen(options->HTTPProxyAuthenticator) >= 512) + REJECT("HTTPProxyAuthenticator is too long (>= 512 chars)."); } if (options->HTTPSProxy) { /* parse it now */ @@ -3412,8 +3412,8 @@ options_validate(or_options_t *old_options, or_options_t *options, } if (options->HTTPSProxyAuthenticator) { - if (strlen(options->HTTPSProxyAuthenticator) >= 48) - REJECT("HTTPSProxyAuthenticator is too long (>= 48 chars)."); + if (strlen(options->HTTPSProxyAuthenticator) >= 512) + REJECT("HTTPSProxyAuthenticator is too long (>= 512 chars)."); } if (options->Socks4Proxy) { /* parse it now */ diff --git a/src/or/connection.c b/src/or/connection.c index 5054909df..bcdde6756 100644 --- a/src/or/connection.c +++ b/src/or/connection.c @@ -3232,8 +3232,17 @@ alloc_http_authenticator(const char *authenticator) authenticator, authenticator_length) < 0) { tor_free(base64_authenticator); /* free and set to null */ } else { - /* remove extra \n at end of encoding */ - base64_authenticator[strlen(base64_authenticator) - 1] = 0; + int i = 0, j = 0; + int len = strlen(base64_authenticator); + + /* remove all newline occurrences within the string */ + for (i=0; i < len; ++i) { + if ('\n' != base64_authenticator[i]) { + base64_authenticator[j] = base64_authenticator[i]; + ++j; + } + } + base64_authenticator[j]='\0'; } return base64_authenticator; } From 480a75cbbd8067b32b2954303ca69401bfee58d9 Mon Sep 17 00:00:00 2001 From: Robert Ransom Date: Thu, 28 Apr 2011 15:16:54 -0700 Subject: [PATCH 2/6] Check onion keys in microdescriptors, too --- changes/bug3207 | 4 ++++ src/or/routerparse.c | 5 +++++ 2 files changed, 9 insertions(+) create mode 100644 changes/bug3207 diff --git a/changes/bug3207 b/changes/bug3207 new file mode 100644 index 000000000..65a7dac1a --- /dev/null +++ b/changes/bug3207 @@ -0,0 +1,4 @@ + o Minor bugfixes: + - Require that onion keys have exponent 65537 in microdescriptors too. + Fixes part of bug 3207; bugfix on 0.2.2.25-alpha + diff --git a/src/or/routerparse.c b/src/or/routerparse.c index be7a3fe89..57436f75e 100644 --- a/src/or/routerparse.c +++ b/src/or/routerparse.c @@ -4336,6 +4336,11 @@ microdescs_parse_from_string(const char *s, const char *eos, } tok = find_by_keyword(tokens, K_ONION_KEY); + if (!crypto_pk_check_key_public_exponent(tok->key)) { + log_warn(LD_DIR, + "Relay's onion key had invalid exponent."); + goto next; + } md->onion_pkey = tok->key; tok->key = NULL; From 2e07925a5285fd50626e853c48ab5b79eec8e933 Mon Sep 17 00:00:00 2001 From: Nick Mathewson Date: Tue, 17 May 2011 19:45:05 -0400 Subject: [PATCH 3/6] Oops; that function got renamed. --- src/or/routerparse.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/or/routerparse.c b/src/or/routerparse.c index 57436f75e..ce98a47b6 100644 --- a/src/or/routerparse.c +++ b/src/or/routerparse.c @@ -4336,7 +4336,7 @@ microdescs_parse_from_string(const char *s, const char *eos, } tok = find_by_keyword(tokens, K_ONION_KEY); - if (!crypto_pk_check_key_public_exponent(tok->key)) { + if (!crypto_pk_public_exponent_ok(tok->key)) { log_warn(LD_DIR, "Relay's onion key had invalid exponent."); goto next; From 21ed575826e701437f7893536ffc5c8d2a71532f Mon Sep 17 00:00:00 2001 From: Nick Mathewson Date: Tue, 17 May 2011 19:46:47 -0400 Subject: [PATCH 4/6] Handle NULL argument to get_configured_bridge_by_addr_port_digest Fixes bug 2313; bugfix on 0.2.2.26-beta. --- changes/bug3213 | 4 ++++ src/or/circuitbuild.c | 2 +- 2 files changed, 5 insertions(+), 1 deletion(-) create mode 100644 changes/bug3213 diff --git a/changes/bug3213 b/changes/bug3213 new file mode 100644 index 000000000..ab7de2d62 --- /dev/null +++ b/changes/bug3213 @@ -0,0 +1,4 @@ + o Major bugfixes: + - Fix a crash bug when changing bridges in a running Tor process. + Fixes bug 3213; bugfix on 0.2.2.26-beta. + diff --git a/src/or/circuitbuild.c b/src/or/circuitbuild.c index 860cd2756..2f86e1fa3 100644 --- a/src/or/circuitbuild.c +++ b/src/or/circuitbuild.c @@ -4539,7 +4539,7 @@ get_configured_bridge_by_addr_port_digest(const tor_addr_t *addr, !tor_addr_compare(&bridge->addr, addr, CMP_EXACT) && bridge->port == port) return bridge; - if (tor_memeq(bridge->identity, digest, DIGEST_LEN)) + if (digest && tor_memeq(bridge->identity, digest, DIGEST_LEN)) return bridge; } SMARTLIST_FOREACH_END(bridge); From 9674fe7e2fdafdc7db7fac737c9e668b2a5e989a Mon Sep 17 00:00:00 2001 From: Nick Mathewson Date: Tue, 17 May 2011 19:50:52 -0400 Subject: [PATCH 5/6] Add credit to bug2752; correct the issue number in the changes file --- changes/bug2752 | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/changes/bug2752 b/changes/bug2752 index 328f11e81..b872d3374 100644 --- a/changes/bug2752 +++ b/changes/bug2752 @@ -1,5 +1,5 @@ - o Minor bugfixes + o Minor features: - Tor used to limit HttpProxyAuthenticator values to 48 characters. Changed the limit to 512 characters by removing base64 newlines. - Fixes bug 2917. + Fixes bug 2752. Fix by Michael Yakubovich. From 07c5026efa4c5fac64e5f3e843eae6bea0de54db Mon Sep 17 00:00:00 2001 From: Roger Dingledine Date: Mon, 16 May 2011 12:58:44 -0400 Subject: [PATCH 6/6] refetch bridge descriptors in a timely fashion When we configure a new bridge via the controller, don't wait up to ten seconds before trying to fetch its descriptor. This wasn't so bad when you listed your bridges in torrc, but it's dreadful if you configure your bridges via vidalia. --- changes/bug3198 | 4 ++++ src/or/main.c | 5 +++-- 2 files changed, 7 insertions(+), 2 deletions(-) create mode 100644 changes/bug3198 diff --git a/changes/bug3198 b/changes/bug3198 new file mode 100644 index 000000000..29c16852e --- /dev/null +++ b/changes/bug3198 @@ -0,0 +1,4 @@ + o Major bugfixes: + - When we configure a new bridge via the controller, don't wait up + to ten seconds before trying to fetch its descriptor. Bugfix on + 0.2.0.3-alpha; fixes bug 3198 (suggested by 2355). diff --git a/src/or/main.c b/src/or/main.c index d700f0e7a..2c950245a 100644 --- a/src/or/main.c +++ b/src/or/main.c @@ -924,8 +924,6 @@ run_scheduled_events(time_t now) if (time_to_try_getting_descriptors < now) { update_router_descriptor_downloads(now); update_extrainfo_downloads(now); - if (options->UseBridges) - fetch_bridge_descriptors(options, now); if (router_have_minimum_dir_info()) time_to_try_getting_descriptors = now + LAZY_DESCRIPTOR_RETRY_INTERVAL; else @@ -938,6 +936,9 @@ run_scheduled_events(time_t now) now + DESCRIPTOR_FAILURE_RESET_INTERVAL; } + if (options->UseBridges) + fetch_bridge_descriptors(options, now); + /** 1b. Every MAX_SSL_KEY_LIFETIME seconds, we change our TLS context. */ if (!last_rotated_x509_certificate) last_rotated_x509_certificate = now;